You might trust your phone’s four-digit PIN to keep an Apple picker from cracking your precious smartphone, but if they’ve got $200 to blow on a 3-D-printed machine, the Robotic Reconfigurable Button Basher (R2B2) can bust your phone wide open.
The R2B2 isn’t fancy: It cracks codes through sheer brute-force determination, but it works with buttons, touch screens, or pattern-tracing codes. It will punch in a code per second, exhaustively cracking an Android four-digit PIN within 20 hours, but “times for other devices vary depending on lockout policies and related defenses.”
R2B2’s inventors, security researchers Justin Engler and Paul Vines, developed the machine to prove the “nobody’s going to try all 10,000 combinations” argument wrong. They even did it for under $200 using a few servomotors, an Arduino chip, 3-D-printed parts from a desktop Makerbot, and a $5 webcam that tracks whether the code’s been cracked. Its open-source software can be used on Mac or PC and controlled via USB.
Not all phones are as susceptible to the R2B2’s repetitive attacks—iOS, for example, increases the time between PIN attempts after each wrong guess—but Android’s factory settings institute just one 30-second delay after every five wrong tries, meaning the R2B2 can make approximately 35 guesses per minute. This means it can find the right PIN within 19 hours and 24 minutes, according to Forbes’ calculations.
Engler and Vines will release the part blueprints when they debut the R2B2 at next month’s Def Con, but the first demo will take place at the Black Hat USA 2013 security conference in Vegas at the end of the month. Debuting alongside R2B2 will be its sister device, the Capacitive Cartesian Coordinate Bruteforcing Overlay (C3BO). Unlike the pad-tapping R2B2, the C3BO electronically stimulates touchscreens, which can work faster than the R2B2 in some circumstances.
Engler and Vine plan on improving the robot to crack non-digital PIN devices such as ATMs and safes, all in the name of increased security. Their point is that putting just a little more thought into how we secure our devices can help. Thieves might willingly take 20 hours to crack a CEO’s phone for sensitive emails, but even ramping up from a four-digit to a six-digit PIN adds up to 80 days to the R2B2’s cracking time.